locked
Re-Occurring Blue Screen~Dump files included~Please Help~Unable to verify timestamp for ntkrnlpa.exe RRS feed

  • Question

  • Hello,

    Starting yesterday I started getting the BSOD. I have uploaded my dump files to this dropbox account:

    www.dropbox.com/sh/w3ryago8pfcw2y2/AAAR5i6Crx5q-p--xdESJjnMa

    There are lots of them as my PC crashed many times.

    I attempted to analyze them with windbg but all I can see is:

    Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for ntkrnlpa.exe

    Also I ran sfc /scannow and it found no integrity violations.

    After the first BSOD I was barely able to get Windows to load without another immediate crash. I couldn't boot my PC last night but today seems okay so far. CPU temp was fine, actually quite cool as I had my window open right by the PC with the side off the case and it was cold last night. Today, so far, seems to be running okay...so far anyways..

    • Windows update recently installed a driver for my on-board video card (Nvidia GeForce 6150n) on the 18th I think as I started using a 2nd monitor using the on-board card in addition to my PCI Express Ati Radeon HD. To use the second screen, I switched the primary video in CMOS to on-board instead of PCI-E 16x so the on-board Nvidia card would be enabled.
    • I also installed brand new ram (4gb DDR2) about a month ago
    • and a new power supply 2 months ago. The power supply is not "exactly" the same voltage as the one that was in there but it's dang close. But I don't have any power leeching components.

    Other than that nothing new has happened. After I got the crash, I tried to enter CMOS yesterday and it glitched out on me twice. I hope it's not my motherboard..

    I am willing to do a system re-format as I am running Windows 7 32bit on a 64bit AMD so I wouldn't mind having 64 bit Windows anyways but I'd like to know what the problem is before I do this. Thank you.

    Update: Just did a MalwareByte's Anti-Malware scan and no malware but found these items: 


    Scan Date: 5/22/2014
    Scan Time: 6:08:00 PM
    Logfile: 

    OS: Windows 7 Service Pack 1
    CPU: x86
    File System: NTFS
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 261539
    Time Elapsed: 8 min, 10 sec

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 2
    PUP.Optional.CrossRider.A, C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecoccdldklbjglocbgbfpmpehjegkode, , [dd97c58f413a74c2503e7106649ec23e], 
    PUP.Optional.CrossRider.A, C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecoccdldklbjglocbgbfpmpehjegkode\0.1_0, , [dd97c58f413a74c2503e7106649ec23e], 

    Files: 9
    PUP.Optional.OptimumInstaller.A, C:\Users\Justin\Downloads\Player-Chrome.exe, , [6b090a4a4437d363a05f361717ea718f], 
    PUP.Optional.Outbrowse, C:\Users\Justin\Downloads\install-flashplayer.exe, , [561ee173fe7d1125edf4d9a443be5aa6], 
    PUP.Optional.CrossRider.A, C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecoccdldklbjglocbgbfpmpehjegkode\0.1_0\icon-128.png, , [dd97c58f413a74c2503e7106649ec23e], 
    PUP.Optional.CrossRider.A, C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecoccdldklbjglocbgbfpmpehjegkode\0.1_0\icon-16.png, , [dd97c58f413a74c2503e7106649ec23e], 
    PUP.Optional.CrossRider.A, C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecoccdldklbjglocbgbfpmpehjegkode\0.1_0\icon-48.png, , [dd97c58f413a74c2503e7106649ec23e], 
    PUP.Optional.CrossRider.A, C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecoccdldklbjglocbgbfpmpehjegkode\0.1_0\jquery-1.10.2.min.js, , [dd97c58f413a74c2503e7106649ec23e], 
    PUP.Optional.CrossRider.A, C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecoccdldklbjglocbgbfpmpehjegkode\0.1_0\manifest.json, , [dd97c58f413a74c2503e7106649ec23e], 
    PUP.Optional.CrossRider.A, C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecoccdldklbjglocbgbfpmpehjegkode\0.1_0\tweetwiki.js, , [dd97c58f413a74c2503e7106649ec23e], 
    PUP.Optional.CrossRider.A, C:\Users\Justin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ecoccdldklbjglocbgbfpmpehjegkode\0.1_0\_DS_Store, , [dd97c58f413a74c2503e7106649ec23e], 

    Physical Sectors: 0
    (No malicious items detected)


    • Edited by jcain77 Thursday, May 22, 2014 11:22 PM
    Thursday, May 22, 2014 11:00 PM

Answers

  • Hi,

    All of the attached DMP files are of the WHEA_UNCORRECTABLE_ERROR (124) bug check.

    A fatal hardware error has occurred. This fatal error displays data from the Windows Hardware Error Architecture (WHEA).

    If we run an !errrec on the 2nd parameter of the bug check (address of the WER structure) we get the following:

    BugCheck 124, {0, 867d2024, b2000010, 10c0f}
    

    ===============================================================================
    Section 2     : x86/x64 MCA
    -------------------------------------------------------------------------------
    Descriptor    @ 867d2134
    Section       @ 867d22bc
    Offset        : 664
    Length        : 264
    Flags         : 0x00000000
    Severity      : Fatal
    
    Error         : BUSLG_OBS_ERR_*_NOTIMEOUT_ERR (Proc 0 Bank 4)
      Status      : 0xb200001000010c0f
    

    This is a pretty complicated error compared to other possibilities it could have been, as it implies you have a hardware fault somewhere along the bus (not very definitive on its own).

    In our case however, we can go a bit deeper with this one:

    0: kd> .formats 0xb200001000010c0f
    Evaluate expression:
      Hex:     b2000010`00010c0f
      Decimal: -5620492266238833649
      Octal:   1310000001000000206017
      Binary:  10110010 00000000 00000000 00010000 00000000 00000001 00001100 00001111
      Chars:   ........
      Time:    ***** Invalid FILETIME
      Float:   low 9.61613e-041 high -7.45059e-009
      Double:  -7.41853e-068
    

    Now that we have this info, we'd refer to the AMD manual:

    63 VAL Valid
    62 OVER Status Register Overflow
    61 UC Uncorrected Error
    60 EN Error Condition Enabled
    59 MISCV Miscellaneous-Error Register Valid
    58 ADDRV Error-Address Register Valid
    57 PCC Processor-Context Corrupt
    56–32 Other Information
    31–16 Model-Specific Error Code
    15–0 MCA Error Code

    In our specific case, bit 63 of the status code is set, so it is valid. Bit 62 of the status code is unset, therefore there's no overflow. Bit 61 implies an uncorrected error has occurred, and Bit 60 implies an error condition was enabled. Last but not least, Bit 57 is set and implies a corrupted processor context.

    If we take a look at the last 15 bits of the binary:

    Binary:  [trimming] 00001100 00001111
    

    In our case, the MSB in binary (00001100 ), implies a bus error occurred (as I mentioned above). We need to further decode the bits to understand more:

    [0000]1100 00001111

    0000 = 1PPT RRRR IILL.

    PP = Participation Processor, T = Timeout, R = Memory Transaction Type, I = Memory and/or I/O, and finally L = Cache Level.

    With this said, it appears we actually have a faulty motherboard as the processor seems fine, etc. The only other thing I see possible is bad RAM, which you can figure out whether or not is the case by running no less than ~8 passes of Memtest:

    Memtest86+:

    Download Memtest86+ here:

    http://www.memtest.org/

    Which should I download?

    You can either download the pre-compiled ISO that you would burn to a CD and then boot from the CD, or you can download the auto-installer for the USB key. What this will do is format your USB drive, make it a bootable device, and then install the necessary files. Both do the same job, it's just up to you which you choose, or which you have available (whether it's CD or USB).

    Do note that some older generation motherboards do not support USB-based booting, therefore your only option is CD (or Floppy if you really wanted to).

    How Memtest works:

    Memtest86 writes a series of test patterns to most memory addresses, reads back the data written, and compares it for errors.

    The default pass does 9 different tests, varying in access patterns and test data. A tenth test, bit fade, is selectable from the menu. It writes all memory with zeroes, then sleeps for 90 minutes before checking to see if bits have changed (perhaps because of refresh problems). This is repeated with all ones for a total time of 3 hours per pass.

    Many chipsets can report RAM speeds and timings via SPD (Serial Presence Detect) or EPP (Enhanced Performance Profiles), and some even support changing the expected memory speed. If the expected memory speed is overclocked, Memtest86 can test that memory performance is error-free with these faster settings.

    Some hardware is able to report the "PAT status" (PAT: enabled or PAT: disabled). This is a reference to Intel Performance acceleration technology; there may be BIOS settings which affect this aspect of memory timing.

    This information, if available to the program, can be displayed via a menu option.

    Any other questions, they can most likely be answered by reading this great guide here:

    http://forum.canardpc.com/threads/28864-FAQ-please-read-before-posting

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    • Marked as answer by jcain77 Friday, May 23, 2014 1:18 AM
    Thursday, May 22, 2014 11:16 PM

All replies

  • Hi,

    All of the attached DMP files are of the WHEA_UNCORRECTABLE_ERROR (124) bug check.

    A fatal hardware error has occurred. This fatal error displays data from the Windows Hardware Error Architecture (WHEA).

    If we run an !errrec on the 2nd parameter of the bug check (address of the WER structure) we get the following:

    BugCheck 124, {0, 867d2024, b2000010, 10c0f}
    

    ===============================================================================
    Section 2     : x86/x64 MCA
    -------------------------------------------------------------------------------
    Descriptor    @ 867d2134
    Section       @ 867d22bc
    Offset        : 664
    Length        : 264
    Flags         : 0x00000000
    Severity      : Fatal
    
    Error         : BUSLG_OBS_ERR_*_NOTIMEOUT_ERR (Proc 0 Bank 4)
      Status      : 0xb200001000010c0f
    

    This is a pretty complicated error compared to other possibilities it could have been, as it implies you have a hardware fault somewhere along the bus (not very definitive on its own).

    In our case however, we can go a bit deeper with this one:

    0: kd> .formats 0xb200001000010c0f
    Evaluate expression:
      Hex:     b2000010`00010c0f
      Decimal: -5620492266238833649
      Octal:   1310000001000000206017
      Binary:  10110010 00000000 00000000 00010000 00000000 00000001 00001100 00001111
      Chars:   ........
      Time:    ***** Invalid FILETIME
      Float:   low 9.61613e-041 high -7.45059e-009
      Double:  -7.41853e-068
    

    Now that we have this info, we'd refer to the AMD manual:

    63 VAL Valid
    62 OVER Status Register Overflow
    61 UC Uncorrected Error
    60 EN Error Condition Enabled
    59 MISCV Miscellaneous-Error Register Valid
    58 ADDRV Error-Address Register Valid
    57 PCC Processor-Context Corrupt
    56–32 Other Information
    31–16 Model-Specific Error Code
    15–0 MCA Error Code

    In our specific case, bit 63 of the status code is set, so it is valid. Bit 62 of the status code is unset, therefore there's no overflow. Bit 61 implies an uncorrected error has occurred, and Bit 60 implies an error condition was enabled. Last but not least, Bit 57 is set and implies a corrupted processor context.

    If we take a look at the last 15 bits of the binary:

    Binary:  [trimming] 00001100 00001111
    

    In our case, the MSB in binary (00001100 ), implies a bus error occurred (as I mentioned above). We need to further decode the bits to understand more:

    [0000]1100 00001111

    0000 = 1PPT RRRR IILL.

    PP = Participation Processor, T = Timeout, R = Memory Transaction Type, I = Memory and/or I/O, and finally L = Cache Level.

    With this said, it appears we actually have a faulty motherboard as the processor seems fine, etc. The only other thing I see possible is bad RAM, which you can figure out whether or not is the case by running no less than ~8 passes of Memtest:

    Memtest86+:

    Download Memtest86+ here:

    http://www.memtest.org/

    Which should I download?

    You can either download the pre-compiled ISO that you would burn to a CD and then boot from the CD, or you can download the auto-installer for the USB key. What this will do is format your USB drive, make it a bootable device, and then install the necessary files. Both do the same job, it's just up to you which you choose, or which you have available (whether it's CD or USB).

    Do note that some older generation motherboards do not support USB-based booting, therefore your only option is CD (or Floppy if you really wanted to).

    How Memtest works:

    Memtest86 writes a series of test patterns to most memory addresses, reads back the data written, and compares it for errors.

    The default pass does 9 different tests, varying in access patterns and test data. A tenth test, bit fade, is selectable from the menu. It writes all memory with zeroes, then sleeps for 90 minutes before checking to see if bits have changed (perhaps because of refresh problems). This is repeated with all ones for a total time of 3 hours per pass.

    Many chipsets can report RAM speeds and timings via SPD (Serial Presence Detect) or EPP (Enhanced Performance Profiles), and some even support changing the expected memory speed. If the expected memory speed is overclocked, Memtest86 can test that memory performance is error-free with these faster settings.

    Some hardware is able to report the "PAT status" (PAT: enabled or PAT: disabled). This is a reference to Intel Performance acceleration technology; there may be BIOS settings which affect this aspect of memory timing.

    This information, if available to the program, can be displayed via a menu option.

    Any other questions, they can most likely be answered by reading this great guide here:

    http://forum.canardpc.com/threads/28864-FAQ-please-read-before-posting

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    • Marked as answer by jcain77 Friday, May 23, 2014 1:18 AM
    Thursday, May 22, 2014 11:16 PM
  • Thank you for that extremely in-depth analysis!! I will run the memtest now. It better not be RAM as I just purchased this RAM brand new from newegg.com. Unfortunately, not a good sign if the motherboard is bad either. That sucks. Thank you. I'll check out the RAM now and if that's good I guess I need to buy a new Motherboard! Thank you again.
    Thursday, May 22, 2014 11:24 PM
  • My pleasure, please keep me updated!

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Friday, May 23, 2014 12:11 AM
  • Well 8 passes of memory test in full mode revealed zero memory errors. So I guess it's motherboard? Weird thing is, last night I couldn't even boot to Windows. Today, it's like nothing is wrong. 
    Friday, May 23, 2014 1:16 AM
  • Correct, bad board!

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Friday, May 23, 2014 1:30 AM